10 Steps to Defining and communicating your Boards Information Risk Regime is central to your

organisations overall cyber security strategy. The National Cyber Security Centre

Cyber Security
recommends you review this regime together with the nine associated security areas
described below, in order to protect your business against the majority of cyber attacks.

Network Security Managing user

Protect your networks from attack. privileges
Defend the network perimeter, filter Establish effective management
out unauthorised access and processes and limit the number of
malicious content. Monitor
oard
privileged accounts. Limit user privileges
and test security controls.
B Pro and monitor user activity. Control access
ur du
yo ce to activity and audit logs.
r su
User education fo
y

pp
Incident

rit
and awareness

or
io
management

pr

tin
Produce user security policies
covering acceptable and secure

gr
ka
Establish an incident
use of your systems. Include response and disaster

isk
Make cyber ris
in staff training. Maintain recovery capability. Test your incident
awareness of cyber risks. management plans. Provide specialist

management pol
Set up your Risk training. Report criminal incidents to
law enforcement.
Malware Management Regime
Assess the risks to your organisations information
prevention and systems with the same vigour you would for legal, Monitoring
Produce relevant policies regulatory, financial or operational risks. To achieve
and establish anti-malware this, embed a Risk Management Regime across Establish a monitoring
defences across your your organisation, supported by the Board strategy and produce
organisation. and senior managers. supporting policies.

i
Continuously monitor all systems and

cies
networks. Analyse logs for unusual
activity that could indicate an attack.
Removable
media controls
Produce a policy to control all Home and
access to removable media. Limit De mobile working
ter
media types and use. Scan all media min petite
for malware before importing onto the e your risk ap Develop a mobile working
corporate system. policy and train staff to adhere
to it. Apply the secure baseline
and build to all devices. Protect
data both in transit and at rest.
Secure configuration
Apply security patches and ensure the
secure configuration of all systems is
maintained. Create a system inventory
and define a baseline build for all devices. For more information go to www.ncsc.gov.uk @ncsc